Additional info - can not start in safe mode. Explorer.exe will not start in safe mode. Tried to to run AVGAS. IE returns lots of invalid syntax errors. I use FF usually, but even it gets "hung up" more often than is normal. Have gotten a few fatal errors that cause Windows to shut down. System not a complete waste yet, but is increasingly unstable. thx.

Some more - I was finally able to get AVGAS to run in safe mode. I forgot to post the report. Here ya go.

Welcome to SWI. We apologize for the delay; our helpers have been very busy.If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Download Dr.Web CureIt to the desktop:ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exeNext, please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.

Doubleclick the drweb-cureit.exe file and Allow to run the express scan

This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, mark the drives that you want to scan.

Select all drives. A red dot shows which drives have been chosen.

Click the green arrow at the right, and the scan will start.

Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found:

If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)

After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Please also post a fresh HiJackThis log.

jedi

jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

These all appear to be the same process. Path points to the Windows Temp folder, but the file is not found there. In fact, I just checked and that folder is empty. Also the exe name is random. Any ideas on this?

A process that is not turning up on the HJT logs.

alg.exe

I know this is associated with the Windows firewall, but wondering why it does not show up on the HJT log running process list.

I do not know if either of these are something to be worried about or not. Just wondering if you had any thoughts.

I suppose I could have just googled alg, but I was feeling lazy. I knew it was a Microsoft thingy. Thanks for clearing that up.

As to the other, yes if you don't mind, let's see what it might be. Seems odd. Random six alpha numeric characters, always capitalized, that is not where it says it is. Just looks like something trying to hide and not doing a very good job. Could be legit, but smells funny. I ran another HJT scan and this time it turned up as C:\WINDOWS\TEMP\FA2F47.EXE.

Combo fix log

"WSAdmin" - 2007-07-12 20:42:54 - ComboFix 07-07-13 - Service Pack 2

((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))

I think I figured it out. There was a file in the temp folder. Had a dog as the icon. Same icon appears as part of the Trend Micro Office Scan Client. A quick search on Trend Micro's website explains this is an anti-hacking trick. The file and process appears to be legit.

Finally, it is best to update your system regularly, to ensure you have the latest security patches from Microsoft. Update by clickinghere http://v4.windowsupdate.microsoft.com/and following the prompts.

That's about all.

jedi

jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.